Workplace Investigations

As part of an investigation, the investigator may want to collect evidence such as camera footage from CCTV, swipe card records, computer records, telephone records or recordings and GPS tracking. There are state-based workplace surveillance laws that operate in each jurisdiction in Australia. The laws recognise that employers are justified in monitoring workplaces for proper purposes, but this is balanced against employees’ reasonable expectations of privacy.

The Privacy Act 1988 (Cth) (Privacy Act) also regulates how certain organisations handle personal information, sensitive personal information and employee records. The Privacy Act contains 13 privacy principles that regulate the collection and management of information. Employers should familiarise themselves with the privacy principles before conducting any investigation to ensure they are not in breach when gathering evidence.

The Civil Code of the PRC, the Personal Information Protection Law of the PRC and other laws provide for the protection of employees' personal information and privacy. Employers are often involved in checking the information and materials stored in the computers, hard disks and other electronic office equipment provided to employees in internal investigation and are likely to access the employees' personal information including personal privacy information, such as the communication records stored in instant communication software such as WeChat, QQ or other instant communication software or to and from private email boxes. According to the Personal Information Protection Law of the PRC, employers are required to perform the obligation of informing and obtain the individuals' consent prior to the processing of personal information, i.e. the principle of informing + consent. Moreover, the Civil Code of the PRC stipulates that no organization or individual may process any person's private information, except as otherwise provided by law or with the explicit consent of the right holder.

Therefore, the legitimacy of obtaining data evidence can be enhanced and guaranteed only if it is explicitly stated in the relevant rules and regulations that the employer shall have the right to the work equipment provided to the employees or obtains the employees' personal consent.

The Swiss Federal Act on Data Protection applies to the gathering of evidence, in particular such collection must be lawful, transparent, reasonable and in good faith, and data security must be preserved.[1]

It can be derived from the duty to disclose and hand over benefits received and work produced (article 321b, Swiss Code of Obligations) as they belong to the employer.[2] The employer is, therefore, generally entitled to collect and process data connected with the end product of any work completely by an employee and associated with their business. However, it is prohibited by the Swiss Criminal Code to open a sealed document or consignment to gain knowledge of its contents without being authorised to do so (article 179 et seq, Swiss Criminal Code). Anyone who disseminates or makes use of information of which he or she has obtained knowledge by opening a sealed document or mailing not intended for him or her may become criminally liable (article 179 paragraph 1, Swiss Criminal Code).

It is advisable to state in internal regulations that the workplace might be searched as part of an internal investigation and in compliance with all applicable data protection rules if this is necessary as part of the investigation.

There are legal requirements related to the time you must keep certain employee records in Australia, such as pay slips and time sheets. However, there are no laws concerning disciplinary records.

Employers can rely on previous misconduct to justify an employee’s termination of employment where it can be shown it is part of a course of conduct. Accordingly, if complaints have been substantiated, and disciplinary action has been taken, these records should be maintained. However, if a significant period has elapsed since the misconduct, an employer should carefully consider whether it is appropriate to rely on this past behaviour to justify future disciplinary action for similar conduct.

The relevant laws and regulations in the PRC have not clarified the retention period of the investigation findings. According to Article 19 of the Personal Information Protection Law of the PRC, unless otherwise required by laws or administrative regulations, the retention period of personal information shall be the shortest period necessary to achieve the purpose of handling the information. Since the employee's personal information is very likely to be involved in the investigation findings, such report should be retained for the shortest period necessary to achieve the purpose of handling the information. In general, once the investigation is completed, the purpose of the internal investigation has been achieved or it is no longer necessary to achieve the purpose, and the employer may, in accordance with Article 22 of the Administrative Regulations of the PRC on Network Data Security (Draft for Comments), delete or anonymize the personal information within fifteen (15) working days. If it is technically difficult to delete the personal information, or it is difficult to do so within fifteen (15) working days due to business complexity or other reasons, the employer shall not conduct any processing other than storing the personal information and adopting necessary security measures, and shall give reasonable explanations to the employee.

From an employment law point of view, there is no statute of limitations on the employee's violations. Based on the specific circumstances (eg, damage incurred, type of violation, basis of trust or the position of the employee), a decision must be made as to the extent to which the outcome should remain on the record.

From a data protection point of view, only data that is in the interest of the employee (eg, to issue a reference letter) may be retained during the employment relationship. In principle, stored data must be deleted after the termination of the employment relationship. Longer retention may be justified if rights are still to be safeguarded or obligations are to be fulfilled in the future (eg, data needed regarding foreseeable legal proceedings, data required to issue a reference letter or data in relation to a non-competition clause).[1]